Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Home Directory Permissions

Status
Not open for further replies.
ahhgeez

ahhgeez

IS-IT--Management
Jul 16, 2007
9
US
What is the correct set permissions for the home data directory for AD Windows 2003?

\\server\home\%username%

I am concerned if I give the incorrect share/NTFS permissions to the "home" directory users will be able to access each others directories. Your advice is appreciated.
 
Sort by date Sort by votes
You can do it like that - sharing the "home" folder, but I prefer sharing each individual home directory. This is not difficult to do, even if you have 500 users - it's something that can easily and quickly be scripted.

In general, I set share permissions to EVERYONE:Full Control, and the NTFS permissions on each folder to:
%username%:full control
Domain Admins:full control
System:full control
NO ONE ELSE.
 
Upvote 0 Downvote
You can do it like that - sharing the "home" folder, but I prefer sharing each individual home directory.
Click to expand...
Ouch - that's a whole lot of shares that the server keeps track of, and recreate on bootup.

Here are the SPECIAL rights I assign to the Domain Users group:

Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Create Folders/Append Data
Read Permissions

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
 
Upvote 0 Downvote
Huh? What are you talking about? There's ZERO issue with this. I've had servers handling hundreds of shares and never had a problem. And maybe I'm misunderstanding what you are referring to, but the shares aren't recreated on boot... the share information is stored in the registry, each share, and If you're going to say the shares are recreated on bootup, you might as well say the users are recreated on bootup as well... just doesn't make much sense to me.

Obviously, you can do it your way, but I prefer the KISS principal... Creating the shares is quick and easy and ther permissions are all standard, no special attributes need be set.
 
Upvote 0 Downvote
Actually, shares are created/recreated during a server boot. That's why, if you delete a shared folder without removing the share first, you see the event log entries that it couldn't be created.

Having the individual folders shares does allow for easier mapping with Windows 9x devices (which don't like to map to a subfolder of a share). But, by using ADUC, and just entering \\servername\users\%username% in the home folder path, it's automatically created, and the correct permissions are applied. That, to me, seems simpler than manually creating a share each time and setting permissions on a per folder basis. But that's just me.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

julis2103
  • Locked
  • Question
Active Directory
Replies
0
Views
93
julis2103
julis2103
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
369
goombawaho
goombawaho
geneg28
  • Locked
  • Question
Active Directory and Linux Servers
Replies
0
Views
89
geneg28
geneg28
axilleas
  • Locked
  • Question
Windows 2012 R2 Active directory problem after applying GPO
Replies
7
Views
155
technome
technome
kurio71
  • Locked
  • Question
Clean Install of 2016 - NTFS permissions
Replies
1
Views
84
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top